New filter for transparent encryption of cookies

[c0d1ngm0nk3y]

Title: New filter for transparent encryption of cookies

Description:

Some cookies might contain confidential data, e.g. OAuth access_token

see https://github.com/envoyproxy/envoy/issues/23508 see https://github.com/envoyproxy/envoy/issues/29656

Envoy could make sure that those cookies are encrypted before they are send to the user and decrypted before the request is handled.

In case of Oauth, the confidential cookies like access_token would only be stored encrypted.

Our proposal would be a new filter (e.g. EncryptedCookies) which transparently handles cookie encryption. The filter would need 2 inputs:

• A list of cookie names that should be encrypted
• A secret used to encrypt/decrypt the cookies

Open Questions:

• Naming of the filter
• Finding a sponsor
• Selecting a proper encryption algorithm
• Similarites to the Header Mutation filter
• Performance implications

[ramaraochavali]

We can enhance this to headers as to handle cases where people can encrypt stateful session header cc: @wbpcode

[loewenstein]

Thanks @zuercher for triaging. What is the usual process for moving this forward?

[github-actions[bot]]

This issue has been automatically marked as stale because it has not had activity in the last 30 days. It will be closed in the next 7 days unless it is tagged "help wanted" or "no stalebot" or other activity occurs. Thank you for your contributions.

[zuercher]

Sorry missed this question.

I think there's two parts to this.

1. Some kind of document that provides clarity on the algorithm(s) to be used for encryption, what additional libraries will be needed to support those algorithms, etc. I think it should be possible to use the existing Secret Discovery Service mechanisms to be obtain the necessary secret material, but you should confirm that based on the proposed algorithms and should discuss any changes needed in SDS before you start work. I don't think this needs to be particularly long, it just needs to flesh out some details and consider paths for future enhancements (e.g., if someone want to add support for a different encryption algorithm how would it be configured; probably want to make it possible to do this vs having to revamp the API objects later). This would get published here and probably also on the Envoy Slack workspace for discussion. You can solicit advice on Slack as well, for instance in selecting an encryption algorithm.
2. Is to follow the steps in CONTRIBUTING.md and the EXTENSION_POLICY.md. In particular, to be included in the main line Envoy build, you'll need a maintainer to sponsor the work. (Sorry, but I'm not available.)

[github-actions[bot]]

This issue has been automatically marked as stale because it has not had activity in the last 30 days. It will be closed in the next 7 days unless it is tagged "help wanted" or "no stalebot" or other activity occurs. Thank you for your contributions.

[github-actions[bot]]

This issue has been automatically marked as stale because it has not had activity in the last 30 days. It will be closed in the next 7 days unless it is tagged "help wanted" or "no stalebot" or other activity occurs. Thank you for your contributions.

[derekargueta]

Adding this functionality to the Header Mutation filter might be appropriate, I'm moving my query param modification PR to be a part of that filter since it operates on the :path header. Although I'm considering directly implementing encrypted coookies into the OAuth filter as a direct option, in which case idk how much use this filter would get.

[wbpcode]

Although I'm considering directly implementing encrypted coookies into the OAuth filter as a direct option

If the oauth2 token is the core scenario, I think this is OK.

[github-actions[bot]]

This issue has been automatically marked as stale because it has not had activity in the last 30 days. It will be closed in the next 7 days unless it is tagged "help wanted" or "no stalebot" or other activity occurs. Thank you for your contributions.

[github-actions[bot]]

This issue has been automatically closed because it has not had activity in the last 37 days. If this issue is still valid, please ping a maintainer and ask them to label it as "help wanted" or "no stalebot". Thank you for your contributions.